Field devices serving to capture and/or modify process variables are frequently used in process automation technology. Field devices in general refer to all devices which are process-oriented and which provide or process process-relevant information. In addition to sensors and actuators, also units directly connected to a fieldbus are generally referred to as field devices, and which serve for communication with superordinated units, such as e.g. remote I/Os, gateways, linking devices and wireless adapters.
The company group Endress+Hauser offers and distributes a large variety of such field devices.
Authentication is proof (verification) of a characteristic claimed for an entity, for example the above-mentioned first unit which carries out its own authentication by supplying a particular contribution.
The authentication of the entity with regard to the claimed characteristic of authenticity, which may, e.g. be permission of an “existing access right” or “genuineness” allows the authenticated entity to conduct further action. The entity is then regarded as authentic.
An entity identified as authentic may optionally also be equipped with different authorizations. An authorization in the context of this document is the transfer of limited rights in a determined context to an entity, e.g. by certain acceptable modes and/or in a certain context, such as only reading access rights, combined reading and writing rights or even special administrator rights, which only selected entities may have.
An authentication is valid until the respective context is left or modified or until the respective mode is left or modified.
Wireless solutions are already available for many consumer applications. One example is radio solutions based on one of the standards from the Bluetooth family. With regard to measuring technology applications in the consumer area, state-of-the-art solutions are, for example, the wireless transfer of a sportsman's heart rate or the number of steps to a mobile display/control unit, e.g. to a mobile phone with an integrated Bluetooth interface.
Encryption is usually executed via a so-called “pairing process” during which a secret key is exchanged between the two communication partners. Due to the limitation of the remote stations, this key exchange usually occurs on the basis of an authentication using a key code of only 4 digits. Those 4 digits frequently are set to an (unalterable) standard value, e.g. 0000, especially for measuring devices without a display, which further reduces security.
This type of authentication optimizes operating convenience for the consumer client at the expense of security. Such minimum security is not sufficient for the security levels required for industrial plants. The German term “Sicherheit” may be translated into English as either security or safety. The English term security is more precise than the corresponding German word “Sicherheit”. The term safety means that a system reacts as can be expected from its functionality. In short: it reliably works as it should. Security on the other hand refers to the protection of the technical processing of information and is a feature of a functionally reliable system. It is meant to prevent any unauthorized data manipulation or the disclosure of information. In the following, the German terms “Sicherheit” and “sicher” always refer to the feature of security if not expressly stated otherwise.
Another radio technology known from the IT field is the term WLAN (WiFi). “WLAN”, especially WiFi security, is used to connect many first devices, e.g. several computers or mobile devices with a single second device, e.g. a router (one-to-many connection). WiFi is not, however, designed to connect a single first device, e.g. a computer or a single mobile device, with several second devices, e.g. several routers (many-to-one connection).
In an industrial context, there are up to several hundred field devices within a plant. These are, for instance, structured into various groups. There are, in turn, several different users for those field devices that service or calibrate field devices, etc. Those users usually have different authorizations with regard to the field device groups or the individual field devices. Users are regularly added, permissions modified, or users lose their access rights, e.g. when they leave the company. External users, such as fire fighting support staff in an emergency or external service providers, need temporary access to certain field devices. Furthermore, one has to take different security requirements for each system into account. For example, a higher standard applies for potable water supply than for wastewater. The security requirements in many cases therefore are very specific for certain applications and systems. A modification of the software/firmware of the individual field devices with regard to individual user authorizations and security features is not feasible for a large number of field devices.
Increased security requirements also apply, especially when access to an automation technology plant is granted via public networks such as mobile phone networks or the internet, or if access is accomplished via a radio interface, e.g. on the basis of a Bluetooth standard. Public networks and radio interfaces share the problem that it is easier to “attack” the access channel cryptographically than local, wired connections.
One has to take into consideration that so-called firewalls consciously separate the local network from public networks like the internet in many automation technology plants. On the one hand, this reduces the danger from attacks, on the other hand, security mechanisms based on internet servers are no longer available for the authentication system because the field device no longer reaches them. For example, corroboration of certificates such as those done by the TLS standard (Transport Layer Security, formerly SSL standard, Secure Sockets Layer) using central servers on the internet run by the offices issuing the certificates is not possible in many industrial plants.
In addition, the aspect of availability must be considered for field devices. For example, access to a field device for maintenance or during an emergency must not be prohibited by the fact that a hardware failure makes access to the user data bank on a central server impossible. In such cases, autonomous functioning of the field device is necessary, e.g. in such a way that known users have access using their last valid password.
On the other hand, it is not feasible for even a medium-sized plant with about 50 field devices and 15 users to manage individual accounts without a certain degree of central control of user management. When a user is added, for example, this user would have to be added to each of the 50 field devices first.
This is the reason why it is so tempting for the user of a plant to realize the obvious “solution”, that all users share the same password, the consequence being that in the end, any security mechanism is thus effectively undermined.
Field devices in plants are frequently linked to a control center via an analog or digital interface, e.g. via fieldbus standards like PROFIBUS, FOUNDATION FIELDBUS, HART or alternatively, by transforming the measuring value into an analog current value of, for example, 4 to 20 mA.
At the time of sign-up, neither the fieldbus standards nor the respective control centers are designed to transfer the data connections for the transmission of information regarding user accounts, such as encrypted passwords or user rights.
One aspect that is inhibiting with regard to the application of increased security requirements in factory automation; process automation in particular also involves the available features of the integrated operating units, i.e. the display and operating options, for instance via a screen and keys. Since the casings are designed for an industrial environment with regard to dirt, explosion protection, temperature range or limited energy supply, this leads to the available features being so limited in many cases that entering a “safe” password, i.e. one that is difficult to guess, is very complicated. This is the case, for example, when there are only 2 keys available for operation. This aspect is particularly relevant for so-called pressure-tight explosion protected devices as the connection of switches/buttons for the user interface out of the pressure-tight casing causes high expenditure, and for this reason in many cases only a few operating switches are available.